Innovation

What is the most inventive or innovative thing you've done? It doesn't have to be something
that's patented. It could be a process change, product idea, a new metric or customer facing
interface – something that was your idea. It cannot be anything your current or previous
employer would deem confidential information. Please provide us with context to understand the
invention/innovation. What problem were you seeking to solve? Why was it important? What was
the result? Why or how did it make a difference and change things?
Writing Guidelines
1. Write in the style you would use to write a business whitepaper or essay and do not use bullet
points, graphics, tables, charts or flow charts.
2. Do not include any confidential or proprietary information from current/past employers.
3. Remember as you write that the reader may not be familiar with specific technical terminology,
corporate cultures, and scenarios. Use language and descriptions in your response that enable
readers to fully understand the situation.
4. Please limit your response to 1-2 pages (no more than 8000 characters).
Need to add a Quote on Application Security Related
Innovation is all about finding and filling people’s unmet needs
Scenario / Problem: Cyber Security group for a large financial enterprise had a failed
internal audit (lacking to complete application assessments, coverage and remediate
vulnerabilities), regulatory compliance mandate, business risk on new mobile apps & slow
adoption to industry standards. Currently, team is having challenges to complete the
application security assessments on critical & high applications (for past 2 year only 75 apps
covered), need to bring a process change, implement additional security assessment
controls for mobile, open source and APIs, scale to cover 800+ applications across Line of
Business (LOB).
Need to bring a transformation to application security services, deliver 300+ application
security Source Code Assessments (SCA) in less than 8-month duration, implement
sustainable scalable process changes & adoption of new technologies.
I have adopted two main strategies: seeing in greater detail each LOB stream, user
experience and challenges (microscope approach) and seek broader view of the services
and patterns exhibit as a group (telescope approach). This insight and analysis, detail
ground reality check on existing process, key issues, review of applications data, customer
expectations (internal, business, and regulatory), existing technical tools, solution, and team
capabilities, helped to formulate the ideas and plan to address this wide variety of needs to
be executed in short timeline.
My idea is to implement 3-dimensional strategic solution (Process changes, Implement
automation / additional tools, augment team). I have formed the core team of 5 members
(Business Analyst, Security Architect, Sr Developer, PM, LOB representative), presented my
view & thought process, had a brainstorming session, asked team to challenge, took the
feedback and finalized the overall approach. Presented this to the senior management with a
detail plan and request for budget approvals & support.
Key game changer is putting my idea into action, which I acknowledge has come thru my
past experience in dealing with transformation projects, large number of applications,
working with customers, technology depth, automation mindset, vendor relationship &
industry connect
At a high level what is needed is adoption of new tools & automation of existing tools, shift
left approach (identify early and fix during development), enable developer / self-service
mode, scale the platform, accelerate assessments for limited time period (bring external
vendor support), make changes to the existing process (adopting mandatory security
controls, approvals by LOB Security champions, making application owner responsible and
creating the security culture), application security trainings, remediation support & creation of
reusable certified components & libraries.
Formed 7 key tracks & identified leads for BA track, Engineering track, Application Delivery
track, Project Management track, Vendor Evaluation track, Developer Enablement track and
Customer / LOB track (led by me). My plan is to run all these tracks in parallel. Implemented
collaboration tool, share point, authorized leads to make the decision, enabled teams with
additional logistical & operational support.
Application Inventory & classification survey has been launched to get the details on the
applications like LOB, Technology / Language, Type of application Web (internet, intranet),
Legacy, Third party, Regulatory mandate, Source code available with enterprise. Based on
this came out with the revised number of applications needed application security
assessments. Result we have found around 300 applications (Critical and High) need to be
covered (35% internet facing, 40% intranet and rest 25% of them are legacy and regulatory
need)
Identified security champions in each of LOB, had the review on scope of applications,
customer priority, expectations. Based this presented the final scope and schedule of
delivery of application assessment to the business owner and received the sign-off
Vendor Evaluation track with representative from BA and PM track floated RFP (key criteria
delivery excellence, false positive analysis, extensive tool knowledge & support) to select the
vendor for faster delivery of scanning and analysing the source code. I did the RFP
presentation and provided all the clarification, it is my idea that I needed the app-based
pricing vs the traditional addition of headcount, 5 global vendors submitted the quote,
technical evaluation was conducted with core team along with cross functional Procurement
& Legal team for price, terms & conditions. Finalized the vendor who had the delivery,
technical capability, and optimal cost / price per application to meet our demand.
Additional RFPs were floated and fast tracked to finalize the Mobile Security, Open Source
Assessments & Developer Training platform. I took the ownership, reviewed with the teams
and took the decision based on my past implementation experience and industry connect,
onboarded 3 new tools in a record timeline of 3 months
Engineering team is the heart of this program, the existing tool had issue with generating
large number of false positives, rule engine is not updated and had issue with reporting. I
had a previous experience in reducing number of false positives, fine tuning the rule engine,
implementing security standards like mandating to stick to OWASP Top 10 and generating
the summary and details reports. Team took the inputs, engaged the existing tool vendor to
implement customized rules and fine tuning to reduce false positives. Engineering team did
a quick POC to implement SecDevOps model to integrate the SCA tool on the code
repository Jenkins and enabling developers to run the code analyzer in self-service mode.
Additionally, engineering team onboarded the new tools for Mobile Application Security and
Open-Source Assessment. In the first-year engineering team conducted the mobile apps
assessments (completed 40 apps) and open source reviews and enabled the delivery track
to taken on the additional assessment services
Application Delivery track is a combination of inhouse developers, analysts and vendor staff,
did an exceptional task in faster turnaround of application code assessments, walking thru
the developers with vulnerabilities, providing remediation tips, adoption to reusable
components. Current platform capacity has been increased to scale by adding additional
RAM and storage on exiting servers (vertical scaling) for each LOB (legacy apps) and 10
VMs for parallel batch processing (horizonal scaling), prioritized schedule, and quick rerun of
application assessments on almost 24*7 mode (coverage achieved due to scalability,
automation and effective team utilization across geographies).
Developer enablement provided training on source code analyser tool to LOB developers /
user to run their code on self-service process mode. With my past experience, I know the
root cause of vulnerabilities can be addressed with secure code trainings to developers and
to bring security mindset in the organization. With this idea, training enablement third party
platform has been rolled out across the LOB for nearly 2000 developers, self-learning
program modules are assigned with the support from security champions. I have rolled out
this program across all the key global locations, conducting sessions along with vendor,
hackathon, application security day with business and technology leaders participating and
this created a big security culture in the organization
Project Management track which closely working in collaboration with all the tracks handled
the process changes, status reporting, issue tracking, interaction with key stakeholders, LOB
business owners and security champions. This team took the responsibility for new services
adoption and rollout of Mobile, Open-Source assessment and Developer training platform
(supported developer enablement track) across digital and business teams.
Customer / LOB track engaged the business, senior leaders and updated on monthly basis,
created online dashboard, reports, and provided the visibility of the application assessment,
vulnerabilities remediated & Open items, clearly showcasing the reduction of business risks.
To summarize the end results, transformation program was highly successful (success rate
is 95% and will reach its full potential in next 1-2 years), completed scanning of 300
applications in 7 months (100%, ahead of schedule), met the internal audit and external
regulatory mandate (100% - Critical & High Vulnerabilities remediation). Implemented
process changes for self-service, security controls, authorization by security champions
(increased process maturity by 3 fold), implementation of technology solutions like
automation, tools for Mobile and Open Source assessments, certified components to meet
the business demand for faster delivery & remediation (3 days to earlier 2 weeks for
assessment, reduction in business risks across 5 LOBs, quick remediation, fewer
medium/low vulnerabilities), security training platform benefited (2000+ developers which
resulted in reduction of 75% critical and high vulnerabilities). Overall, 40% cost savings
achieved due to app based pricing model vs headcount addition. Key lessons and best
practices were documented for continuous process improvements.